Debian Bug report logs - #444430
CVE-2007-4993 privilege escalation

version graph

Package: xen-3.0; Maintainer for xen-3.0 is (unknown);

Reported by: Nico Golde <nion@debian.org>

Date: Fri, 28 Sep 2007 13:45:01 UTC

Severity: grave

Tags: security

Found in version 3.0.3-0-2

Fixed in versions 3.0.3-0-3, xen-3/3.1.1-1

Done: Bastian Blank <waldi@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>:
Bug#444430; Package xen-3.0. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: CVE-2007-4993 privilege escalation
Date: Fri, 28 Sep 2007 15:42:25 +0200
[Message part 1 (text/plain, inline)]
Package: xen-3.0
Version: 3.0.3-0-2
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xen-3.0.

CVE-2007-4993[0]:
| pygrub (tools/pygrub/src/GrubConf.py) in Xen 3.0.3, when booting a guest
| domain, allows local users with elevated privileges in the guest domain to
| execute arbitrary commands in domain 0 via a crafted grub.conf file whose
| contents are used in exec statements. 

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4993

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Bug reassigned from package `xen-3.0' to `xen-3'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 15 Oct 2007 12:48:07 GMT) Full text and rfc822 format available.

Bug reassigned from package `xen-3' to `xen-3.0'. Request was from Bastian Blank <waldi@debian.org> to control@bugs.debian.org. (Mon, 15 Oct 2007 14:54:03 GMT) Full text and rfc822 format available.

Bug 444430 cloned as bug 446771. Request was from Bastian Blank <waldi@debian.org> to control@bugs.debian.org. (Mon, 15 Oct 2007 14:54:03 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 3.0.3-0-3, send any further explanations to Nico Golde <nion@debian.org> Request was from Bastian Blank <waldi@debian.org> to control@bugs.debian.org. (Mon, 15 Oct 2007 14:54:06 GMT) Full text and rfc822 format available.

Bug marked as found in version 3.1.0-2 and reopened. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Mon, 15 Oct 2007 22:24:03 GMT) Full text and rfc822 format available.

Bug no longer marked as found in version 3.1.0-2. Request was from Bastian Blank <waldi@debian.org> to control@bugs.debian.org. (Tue, 16 Oct 2007 06:27:02 GMT) Full text and rfc822 format available.

Reply sent to Bastian Blank <waldi@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #22 received at 444430-close@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: 444430-close@bugs.debian.org
Subject: Bug#444430: fixed in xen-3.0 3.0.3-0-3
Date: Tue, 16 Oct 2007 19:56:36 +0000
Source: xen-3.0
Source-Version: 3.0.3-0-3

We believe that the bug you reported is fixed in the latest version of
xen-3.0, which is due to be installed in the Debian FTP archive:

xen-3.0_3.0.3-0-3.diff.gz
  to pool/main/x/xen-3.0/xen-3.0_3.0.3-0-3.diff.gz
xen-3.0_3.0.3-0-3.dsc
  to pool/main/x/xen-3.0/xen-3.0_3.0.3-0-3.dsc
xen-docs-3.0_3.0.3-0-3_all.deb
  to pool/main/x/xen-3.0/xen-docs-3.0_3.0.3-0-3_all.deb
xen-hypervisor-3.0.3-1-amd64_3.0.3-0-3_amd64.deb
  to pool/main/x/xen-3.0/xen-hypervisor-3.0.3-1-amd64_3.0.3-0-3_amd64.deb
xen-ioemu-3.0.3-1_3.0.3-0-3_amd64.deb
  to pool/main/x/xen-3.0/xen-ioemu-3.0.3-1_3.0.3-0-3_amd64.deb
xen-utils-3.0.3-1_3.0.3-0-3_amd64.deb
  to pool/main/x/xen-3.0/xen-utils-3.0.3-1_3.0.3-0-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 444430@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Blank <waldi@debian.org> (supplier of updated xen-3.0 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 05 Oct 2007 07:44:54 +0000
Source: xen-3.0
Binary: xen-docs-3.0 xen-hypervisor-3.0.3-1-i386-pae xen-utils-3.0.3-1 xen-hypervisor-3.0.3-1-i386 xen-hypervisor-3.0.3-1-amd64 xen-ioemu-3.0.3-1
Architecture: source amd64 all
Version: 3.0.3-0-3
Distribution: stable-security
Urgency: low
Maintainer: Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>
Changed-By: Bastian Blank <waldi@debian.org>
Description: 
 xen-docs-3.0 - documentation for XEN, a Virtual Machine Monitor
 xen-hypervisor-3.0.3-1-amd64 - The Xen Hypervisor on AMD64
 xen-ioemu-3.0.3-1 - XEN administrative tools
 xen-utils-3.0.3-1 - XEN administrative tools
Closes: 444007 444430
Changes: 
 xen-3.0 (3.0.3-0-3) stable-security; urgency=low
 .
   * Use linux-support-2.6.18-5.
   * Don't use exec with untrusted values in pygrub. (closes: #444430)
     See CVE-2007-4993.
   * Add bounds checks for cirrus bitblit memory accesses in qemu.
     (closes: #444007)
     See CVE-2007-1320.
Files: 
 d42726f5a374bfb8eb1a6618174ff893 1115 misc extra xen-3.0_3.0.3-0-3.dsc
 71257a2d977a601594c70c9eac0a121b 6127238 misc extra xen-3.0_3.0.3-0.orig.tar.gz
 64f2dd856726a95d88fe48531e987ff4 28697 misc extra xen-3.0_3.0.3-0-3.diff.gz
 b91af7395e7a1169be06ced33ef56daa 533396 misc extra xen-docs-3.0_3.0.3-0-3_all.deb
 b4ceb2935cf07339c98b7aa67709a508 368012 misc extra xen-utils-3.0.3-1_3.0.3-0-3_amd64.deb
 f7f8a51f48c87072fe2c0ffd03e066aa 331438 misc extra xen-ioemu-3.0.3-1_3.0.3-0-3_amd64.deb
 7957630a8fcd612e7492b7d14a36512d 269956 misc extra xen-hypervisor-3.0.3-1-amd64_3.0.3-0-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iEYEARECAAYFAkcF74QACgkQLkAIIn9ODhHMdwCdFuApz8nO5qMHNW8vtuzCMeoe
0TMAoLwgN3zun2jpDc5s6gUW9MRH7Ofw
=zeJ0
-----END PGP SIGNATURE-----





Reply sent to Bastian Blank <waldi@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #27 received at 444430-close@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: 444430-close@bugs.debian.org
Subject: Bug#444430: fixed in xen-3 3.1.1-1
Date: Sat, 20 Oct 2007 09:32:11 +0000
Source: xen-3
Source-Version: 3.1.1-1

We believe that the bug you reported is fixed in the latest version of
xen-3, which is due to be installed in the Debian FTP archive:

xen-3_3.1.1-1.dsc
  to pool/main/x/xen-3/xen-3_3.1.1-1.dsc
xen-3_3.1.1-1.tar.gz
  to pool/main/x/xen-3/xen-3_3.1.1-1.tar.gz
xen-docs-3.1_3.1.1-1_all.deb
  to pool/main/x/xen-3/xen-docs-3.1_3.1.1-1_all.deb
xen-hypervisor-3.1-1-amd64_3.1.1-1_amd64.deb
  to pool/main/x/xen-3/xen-hypervisor-3.1-1-amd64_3.1.1-1_amd64.deb
xen-utils-3.1-1_3.1.1-1_amd64.deb
  to pool/main/x/xen-3/xen-utils-3.1-1_3.1.1-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 444430@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Blank <waldi@debian.org> (supplier of updated xen-3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 19 Oct 2007 16:02:37 +0000
Source: xen-3
Binary: xen-utils-3.1-1 xen-docs-3.1 xen-hypervisor-3.1-1-i386-nonpae xen-hypervisor-3.1-1-amd64 xen-hypervisor-3.1-1-i386
Architecture: source amd64 all
Version: 3.1.1-1
Distribution: unstable
Urgency: low
Maintainer: Debian Xen Team <pkg-xen-devel@lists.alioth.debian.org>
Changed-By: Bastian Blank <waldi@debian.org>
Description: 
 xen-docs-3.1 - documentation for XEN, a Virtual Machine Monitor
 xen-hypervisor-3.1-1-amd64 - The Xen Hypervisor on AMD64
 xen-utils-3.1-1 - XEN administrative tools
Closes: 444430
Changes: 
 xen-3 (3.1.1-1) unstable; urgency=low
 .
   * New upstream release:
     - Don't use exec with untrusted values in pygrub. (closes: #444430)
       See CVE-2007-4993.
Files: 
 c1199cc8aef40a49783c2ee64d52762c 1089 misc extra xen-3_3.1.1-1.dsc
 702fc8cfb6c7364e688281adf5030e9e 7711618 misc extra xen-3_3.1.1-1.tar.gz
 041261398d5f36d68a13040526123603 1099324 misc extra xen-docs-3.1_3.1.1-1_all.deb
 7b757ecc3f52da95851397afe187b411 1126574 misc extra xen-utils-3.1-1_3.1.1-1_amd64.deb
 d389a2afa116ea99f19f441fe949162a 360808 misc extra xen-hypervisor-3.1-1-amd64_3.1.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iEYEARECAAYFAkcZuvsACgkQLkAIIn9ODhFougCfZvP/glET5XryC52nHqcb/iVW
4GoAn25SxCauDS3rJrHUR40/KGAglN2D
=bVUF
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 24 Jan 2008 07:29:14 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 18:13:02 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.